Apple’s advice to rely on Gatekeeper as a mitigation against a Keychain attack disclosed this week by researcher Patrick Wardle doesn’t fully address the risk.
Experts, Wardle included, said that while Gatekeeper is a solid measure in preventing unsigned code from executing on a macOS machine, it doesn’t prevent, in this case, malware signed with a legitimate Apple developer certificate from executing and dumping passwords stored in the Keychain. Wardle’s proof-of-concept attack disclosed to Apple was unsigned.
Wardle privately disclosed the vulnerability and attack to Apple earlier this month, and Apple indicated a patch would be forthcoming. In the meantime, however, an advanced attacker might be able to carry out this secondary attack once they’ve already gained a foothold on a Mac machine to target the credentials stored in the keychain.
Apple’s focus, meanwhile, in a statement provided to Threatpost focused on unsigned apps that would trigger an alert from Gatekeeper, a native macOS security feature that enforces code signing on applications before they execute locally.
Increasingly, attackers are finding ways to bypass Gatekeeper and sneak apps into the App Store that are signed with legitimate certificates.
“That prerequisite of getting initially infected is a high prerequisite,” Wardle said. “That’s the area of focus and probably why Apple responded with Gatekeeper. That wouldn’t have been my response. But I like where they’re going in terms of being careful where you’re downloading apps from and following good security practices. Unfortunately we are seeing things like legitimate applications and websites getting hacked (Handbrake, Transmission). And in those scenarios, those are signed apps being hosted on legitimate websites and the user is pretty much done.
“I think it’s important for Apple to build in these secondary lines of defenses where even if that happens when something tries to hijack the keychain, it’s pretty much blocked.”
Wardle, chief security researcher at Synack and a former NSA analyst, says he approaches attacks against macOS under the assumption that an attacker already has code running locally.
“I’m always thinking about this from the point of view that malware is on your box already; people are going to hack you whether it’s adware or signed Mac malware, or nation states that are going to have advanced capabilities,” he said. “Once they get on your box, what can they do? There are a lot of secondary security implementations that Apple builds into the operating system (System Integrity Protection or Secure Kernel Extension Loading) that are designed to limit what a piece of malicious code can do. I like to focus on those and how I can bypass those secondary layers of defense.”
As for this attack, the Apple Keychain has a number of access controls supporting it meant to prevent apps or code from programmatically accessing the data stored in the Keychain. Wardle said that even signed apps or utilities that query the keychain must provide the user’s password or require user interaction to access its data.
“This exploit is nice because it sidesteps those requirements and accesses the contents of the keychain,” Wardle said.
Wardle’s attack works against High Sierra, which was released this week, as well as macOS Sierra and likely on El Capitan as well, though he has not tested it against that version yet.
Wardle has not disclosed any details about the specific vulnerability. The Apple Keychain, meanwhile, is an encrypted container that stores system passwords and saved credentials used to access web-based services and applications. It can also store other sensitive data such as payment card data and banking PINs.